What are vulnerability scans and penetration tests, and why are they important?

Vulnerability Scanning is typically an automated, high-level process that identifies possible security flaws and weaknesses in a network, but can generate false positives that must be manually verified. Vulnerabilities might include systems that are not patched or networks that are not set up with security in mind. One of the many benefits of vulnerability scans is that they allow for larger ranges of systems to be efficiently scanned in a shorter amount of time.

Penetration testing is a manual process that attempts to exploit certain vulnerabilities identified in a network that can be used to gain access to the network, just like a hacker would. Essentially, penetration testing evaluates a security control’s ability to prevent a data breach. A penetration tester won’t necessarily exploit all vulnerabilities found. Typically, the tester will exploit the vulnerabilities that a hacker would be more likely to use.

Although both the vulnerability scan and penetration test have the same goal, identifying security threats, there are many differences between the two. The biggest difference is that vulnerability scanning is intended to provide a snapshot of all the devices on a given network in its entirety whereas a penetration test is generally goal-oriented. That is, only the most vulnerable systems will be targeted during a penetration test for exploitation and, as a result, not all systems will be, nor can be attacked .

Companies that conduct these scans and tests should provide your organization with reports of the vulnerabilities uncovered and any access the tester was able to gain during the penetration test. Having these reports will enable your organization to develop a mitigation plan and start implementing controls and fixes.

Are vulnerability scans and penetration tests required to be HIPAA compliant?

HIPAA does not specify that vulnerability scans or pen tests are required. HIPAA is deliberately broad in scope so organizations can determine how to best protect PHI in their situation. However, under the Technical Safeguards (§ 164.312) requirements, organizations are required to implement Access Controls, Integrity Controls and Audit Controls. Vulnerability scans and penetration tests are two of the best methods for addressing those required HIPAA safeguards, and ultimately, they help an organization determine if their controls are effective.

Why are vulnerability scans and penetration tests important to Health Care?

Security incidents and breaches are on the rise. The cost of a health care breach is at an all-time high. Protected Health Information (PHI) is one of the most expensive pieces of data available on the dark web. Additionally, large health care organizations are not the only ones affected by hacking and ransomware; they are simply more likely to notice the issue.

Smaller organizations are also being targeted, as they tend to have less money to spend on security controls and little to no technical staff who know how to protect networks. Considering these risks and the benefits of scanning and testing, all healthcare organizations should consider obtaining vulnerability scans and penetration tests. With companies providing lower rates, these services are more attainable for any sized organization.